rule cfm_shell {
	meta:
		description = "Laudanum Injector Tools - file shell.cfm"
		author = "Florian Roth"
		reference = "http://laudanum.inguardians.com/"
		date = "2015-06-22"
		hash = "885e1783b07c73e7d47d3283be303c9719419b92"
	strings:
		$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
	condition:
		filesize < 20KB and 2 of them
}
rule WEB_INF_web {
	meta:
		description = "Laudanum Injector Tools - file web.xml"
		author = "Florian Roth"
		reference = "http://laudanum.inguardians.com/"
		date = "2015-06-22"
		hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3"
	strings:
		$s1 = "<servlet-name>Command</servlet-name>" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
	condition:
		filesize < 1KB and all of them
}
rule CN_Honker_Webshell_mycode12 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mycode12.cfm"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "64be8760be5ab5c2dcf829e3f87d3e50b1922f17"
	strings:
		$s1 = "<cfexecute name=\"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<cfoutput>#cmd#</cfoutput>" fullword ascii
	condition:
		filesize < 4KB and all of them
}
rule CN_Honker_Webshell_cfm_xl {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file xl.cfm"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "49c3d16ee970945367a7d6ae86b7ade7cb3b5447"
	strings:
		$s0 = "<input name=\"DESTINATION\" value=\"" ascii /* PEStudio Blacklist: strings */
		$s1 = "<CFFILE ACTION=\"Write\" FILE=\"#Form.path#\" OUTPUT=\"#Form.cmd#\">" fullword ascii
	condition:
		uint16(0) == 0x433c and filesize < 13KB and all of them
}
rule CN_Honker_Webshell_PHP_linux {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file linux.txt"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "78339abb4e2bb00fe8a012a0a5b7ffce305f4e06"
	strings:
		$s0 = "<form name=form1 action=exploit.php method=post>" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "<title>Changing CHMOD Permissions Exploit " fullword ascii
	condition:
		uint16(0) == 0x696c and filesize < 6KB and all of them
}
rule CN_Honker_Webshell_picloaked_1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 1.gif"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3eab1798cbc9ab3b2c67d3da7b418d07e775db70"
	strings:
		$s0 = "<?php eval($_POST[" ascii /* PEStudio Blacklist: strings */
		$s1 = ";<%execute(request(" ascii /* PEStudio Blacklist: strings */
		$s3 = "GIF89a" fullword ascii /* Goodware String - occured 318 times */
	condition:
		filesize < 6KB and 2 of them
}
rule CN_Honker_Webshell_cfm_list {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file list.cfm"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "85d445b13d2aef1df3b264c9b66d73f0ff345cec"
	strings:
		$s1 = "<TD><a href=\"javascript:ShowFile('#mydirectory.name#')\">#mydirectory.name#</a>" ascii /* PEStudio Blacklist: strings */
		$s2 = "<TD>#mydirectory.size#</TD>" fullword ascii
	condition:
		filesize < 10KB and all of them
}
rule CN_Honker_Webshell_cfmShell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file cfmShell.cfm"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "740796909b5d011128b6c54954788d14faea9117"
	strings:
		$s0 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "<cfif FileExists(\"#GetTempDirectory()#foobar.txt\") is \"Yes\">" fullword ascii
	condition:
		filesize < 4KB and all of them
}
rule CN_Honker_Webshell_cmfshell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file cmfshell.cmf"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b9b2107c946431e4ad1a8f5e53ac05e132935c0e"
	strings:
		$s1 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<form action=\"<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>\" method=\"post\">" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 4KB and all of them
}
rule CN_Honker_Webshell_Linux_2_6_Exploit {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 2.6.9"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ec22fac0510d0dc2c29d56c55ff7135239b0aeee"
	strings:
		$s0 = "[+] Failed to get root :( Something's wrong.  Maybe the kernel isn't vulnerable?" fullword ascii
	condition:
		filesize < 56KB and all of them
}
rule CN_Honker_Webshell_WebShell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file WebShell.cgi"
		author = "Florian Roth"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
	strings:
		$s1 = "$login = crypt($WebShell::Configuration::password, $salt);" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "warn \"command: '$command'\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and 2 of them
}

rule perlbot_pl {
	meta:
		description = "Semi-Auto-generated  - file perlbot.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "7e4deb9884ffffa5d82c22f8dc533a45"
	strings:
		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
		$s1 = "#Acesso a Shel - 1 ON 0 OFF"
	condition:
		1 of them
}

rule shellbot_pl {
	meta:
		description = "Semi-Auto-generated  - file shellbot.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
	strings:
		$s0 = "ShellBOT"
		$s1 = "PacktsGr0up"
		$s2 = "CoRpOrAtIoN"
		$s3 = "# Servidor de irc que vai ser usado "
		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
	condition:
		2 of them
}

rule wh_bindshell_py {
	meta:
		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "fab20902862736e24aaae275af5e049c"
	strings:
		$s0 = "#Use: python wh_bindshell.py [port] [password]"
		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
	condition:
		1 of them
}

rule lurm_safemod_on_cgi {
	meta:
		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "5ea4f901ce1abdf20870c214b3231db3"
	strings:
		$s0 = "Network security team :: CGI Shell" fullword
		$s1 = "#########################<<KONEC>>#####################################" fullword
		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
	condition:
		1 of them
}

rule telnet_pl {
	meta:
		description = "Semi-Auto-generated  - file telnet.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "dd9dba14383064e219e29396e242c1ec"
	strings:
		$s0 = "W A R N I N G: Private Server"
		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "
	condition:
		all of them
}

rule WebShell_cgi {
	meta:
		description = "Semi-Auto-generated  - file WebShell.cgi.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "bc486c2e00b5fc3e4e783557a2441e6f"
	strings:
		$s0 = "WebShell.cgi"
		$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
	condition:
		all of them
}
rule WinX_Shell_html {
	meta:
		description = "Semi-Auto-generated  - file WinX Shell.html.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "17ab5086aef89d4951fe9b7c7a561dda"
	strings:
		$s0 = "WinX Shell"
		$s1 = "Created by greenwood from n57"
		$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
	condition:
		2 of them
}
rule Java_Shell_js {
	meta:
		description = "Semi-Auto-generated  - file Java Shell.js.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "36403bc776eb12e8b7cc0eb47c8aac83"
	strings:
		$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
		$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
		$s4 = "public static int DEFAULT_SCROLLBACK = 100"
	condition:
		2 of them
}

rule Asmodeus_v0_1_pl {
	meta:
		description = "Semi-Auto-generated  - file Asmodeus v0.1.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "0978b672db0657103c79505df69cb4bb"
	strings:
		$s0 = "[url=http://www.governmentsecurity.org"
		$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
		$s2 = "print \"Asmodeus Perl Remote Shell"
		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
	condition:
		2 of them
}

rule connectback2_pl {
	meta:
		description = "Semi-Auto-generated  - file connectback2.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "473b7d226ea6ebaacc24504bd740822e"
	strings:
		$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "
		$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
		$s2 = "ConnectBack Backdoor"
	condition:
		1 of them
}

rule s72_Shell_v1_1_Coding_html {
	meta:
		description = "Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "c2e8346a5515c81797af36e7e4a3828e"
	strings:
		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
	condition:
		1 of them
}

rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
	meta:
		description = "Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
	strings:
		$s0 = "Ayyildiz"
		$s1 = "TouCh By iJOo"
		$s2 = "First we check if there has been asked for a working directory"
		$s3 = "http://ayyildiz.org/images/whosonline2.gif"
	condition:
		2 of them
}

rule Phyton_Shell_py {
	meta:
		description = "Semi-Auto-generated  - file Phyton Shell.py.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "92b3c897090867c65cc169ab037a0f55"
	strings:
		$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
		$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
		$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
		$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
	condition:
		1 of them
}

rule cgi_python_py {
	meta:
		description = "Semi-Auto-generated  - file cgi-python.py.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "0a15f473e2232b89dae1075e1afdac97"
	strings:
		$s0 = "a CGI by Fuzzyman"
		$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
		$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"
	condition:
		1 of them
}

rule telnetd_pl {
	meta:
		description = "Semi-Auto-generated  - file telnetd.pl.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "5f61136afd17eb025109304bd8d6d414"
	strings:
		$s0 = "0ldW0lf" fullword
		$s1 = "However you are lucky :P"
		$s2 = "I'm FuCKeD"
		$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
		$s4 = "atrix@irc.brasnet.org"
	condition:
		1 of them
}

rule telnet_cgi {
	meta:
		description = "Semi-Auto-generated  - file telnet.cgi.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "dee697481383052980c20c48de1598d1"
	strings:
		$s1 = "W A R N I N G: Private Server"
		$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
		$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
	condition:
		1 of them
}
rule h4ntu_shell__powered_by_tsoi_ {
	meta:
		description = "Semi-Auto-generated  - file h4ntu shell [powered by tsoi].txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "06ed0b2398f8096f1bebf092d0526137"
	strings:
		$s0 = "h4ntu shell"
		$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
	condition:
		1 of them
}
rule Webshell_and_Exploit_CN_APT_HK : Webshell
{
meta:
	author = "Florian Roth"
	description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
	date = "10.10.2014"
	score = 50
strings:
	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
condition:
	$a0 or ( all of ($s*) )
}
rule CN_Honker_mafix_root {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file root"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "826778ef9c22177d41698b467586604e001fed19"
    strings:
        $s0 = "echo \"# vbox (voice box) getty\" >> /tmp/.init1" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog" fullword ascii
        $s2 = "if [ -f /sbin/xlogin ]; then" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 96KB and all of them
}

rule CN_Honker_passwd_dict_3389 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2897e909e48a9f56ce762244c3a3e9319e12362f"
    strings:
        $s0 = "654321" fullword ascii /* reversed goodware string '123456' */
        $s1 = "admin123" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "admin123456" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "administrator" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 2 times */
        $s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
        $s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
        $s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
        $s8 = "888888" fullword ascii /* Goodware String - occured 61 times */
    condition:
        filesize < 1KB and all of them
}

rule CN_Honker_Perl_serv_U {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "f333c597ff746ebd5a641fbc248497d61e3ec17b"
    strings:
        $s1 = "$dir = 'C:\\\\WINNT\\\\System32\\\\';" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "$sock = IO::Socket::INET->new(\"127.0.0.1:$adminport\") || die \"fail\";" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 8KB and all of them
}

rule CN_Honker_F4ck_Team_f4ck {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "e216f4ba3a07de5cdbb12acc038cd8156618759e"
    strings:
        $s0 = "PassWord:F4ckTeam!@#" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "UserName:F4ck" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "F4ck Team" fullword ascii
    condition:
        filesize < 1KB and all of them
}

rule CN_Honker_sig_3389_3389 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "f92b74f41a2138cc05c6b6993bcc86c706017e49"
    strings:
        $s1 = "success = obj.run(\"cmd /c takeown /f %SystemRoot%\\system32\\sethc.exe&echo y| " ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 10KB and all of them
}

rule CN_Honker_sig_3389_3389_2 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "5ff92f39ade12f8ba6cb75dfdc9bb907e49f0ebd"
    strings:
        $s1 = "@del c:\\termsrvhack.dll" fullword ascii
        $s2 = "@del c:\\3389.txt" fullword ascii
    condition:
        filesize < 3KB and all of them
}

rule CN_Honker_Injection_Transit_jmCook {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "5e1851c77ce922e682333a3cb83b8506e1d7395d"
    strings:
        $s1 = ".Open \"POST\",PostUrl,False" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 9KB and all of them
}

rule CN_Honker_Pwdump7_Pwdump7 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "67d0e215c96370dcdc681bb2638703c2eeea188a"
    strings:
        $s1 = "Pwdump7.exe >pass.txt" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 1KB and all of them
}

rule CN_Honker_portRecall_pr {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file pr"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "583cf6dc2304121d835f2879803a22fea76930f3"
    strings:
        $s1 = "Usage: Same as lcx.exe in win32 :)" fullword ascii
        $s2 = "connect to client" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "PR(Packet redirection) for linux " fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 70KB and all of them
}

rule CN_Honker_sig_3389_3389_3 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "cfedec7bd327897694f83501d76063fe16b13450"
    strings:
        $s1 = "echo \"fDenyTSConnections\"=dword:00000000>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "echo \"PortNumber\"=dword:00000d3d>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>" ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 2KB and all of them
}

rule CN_Honker_Alien_D {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "de9cd4bd72b1384b182d58621f51815a77a5f07d"
    strings:
        $s0 = "Paths_str=\"c:\\windows\\\"&chr(13)&chr(10)&\"c:\\Documents and Settings\\\"&chr" ascii /* PEStudio Blacklist: strings */
        $s1 = "CONST_FSO=\"Script\"&\"ing.Fil\"&\"eSyst\"&\"emObject\"" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "Response.Write \"<form id='form1' name='form1' method='post' action=''>\"" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "set getAtt=FSO.GetFile(filepath)" fullword ascii
        $s4 = "Response.Write \"<input name='NoCheckTemp' type='checkbox' id='NoCheckTemp' chec" ascii
    condition:
        filesize < 30KB and 2 of them
}

rule CN_Honker_ChinaChopper_db {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file db.mdb"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "af79ff2689a6b7a90a5d3c0ebe709e42f2a15597"
    strings:
        $s1 = "http://www.maicaidao.com/server.phpcaidao" fullword wide /* PEStudio Blacklist: strings */
        $s2 = "<O>act=login</O>" fullword wide /* PEStudio Blacklist: strings */
        $s3 = "<H>localhost</H>" fullword wide /* PEStudio Blacklist: strings */
    condition:
        filesize < 340KB and 2 of them
}

rule CN_Honker_syconfig {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file syconfig.dll"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "ff75353df77d610d3bccfbffb2c9dfa258b2fac9"
    strings:
        $s9 = "Hashq.CrackHost+FormUnit" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        uint16(0) == 0x0100 and filesize < 18KB and all of them
}

rule CN_Honker_linux_bin {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file linux_bin"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "26e71e6ebc6a3bdda9467ce929610c94de8a7ca0"
    strings:
        $s1 = "client.sin_port = htons(atoi(argv[3]));" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "printf(\"\\n\\n*********Waiting Client connect*****\\n\\n\");" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 20KB and all of them
}

rule CN_Honker_Intersect2_Beta {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "3ba5f720c4994cd4ad519b457e232365e66f37cc"
    strings:
        $s1 = "os.system(\"ls -alhR /home > AllUsers.txt\")" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "os.system('getent passwd > passwd.txt')" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "os.system(\"rm -rf credentials/\")" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        uint16(0) == 0x2123 and filesize < 50KB and 2 of them
}

rule CN_Honker_IIS_logcleaner1_0_readme {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2ab47d876b49e9a693f602f3545381415e82a556"
    strings:
        $s2 = "LogCleaner.exe <ip> [Logpath]" fullword ascii
        $s3 = "http://l-y.vicp.net" fullword ascii
    condition:
        filesize < 7KB and all of them
}

rule CN_Honker_Alien_command {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file command.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "5896b74158ef153d426fba76c2324cd9c261c709"
    strings:
        $s0 = "for /d %i in (E:\\freehost\\*) do @echo %i" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "/c \"C:\\windows\\temp\\cscript\" C:\\windows\\temp\\iis.vbs" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 8KB and all of them
}

rule CN_Honker_portRecall_bc {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2084990406398afd856b2309c7f579d7d61c3767"
    strings:
        $s0 = "print \"[*] Connected to remote host \\n\"; " fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "print \"Usage: $0 [Host] [Port] \\n\\n\";  " fullword ascii /* PEStudio Blacklist: strings */
        $s5 = "print \"[*] Resolving HostName\\n\"; " fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 10KB and all of them
}

rule CN_Honker_Tuoku_script_MSSQL_ {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "7097c21f92306983add3b5b29a517204cd6cd819"
    strings:
        $s1 = "GetLoginCookie = Request.Cookies(Cookie_Login)" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "if ShellPath=\"\" Then ShellPath = \"c:\\\\windows\\\\system32\\\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
        $s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 100KB and all of them
}

rule CN_Honker_nc_MOVE {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "4195370c103ca467cddc8f2724a8e477635be424"
    strings:
        $s0 = "Destination: http://202.113.20.235/gj/images/2.asp" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "HOST: 202.113.20.235" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "MOVE /gj/images/A.txt HTTP/1.1" fullword ascii
    condition:
        filesize < 1KB and all of them
}

rule CN_Honker_mssqlpw_scan {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt"
        author = "Florian Roth"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "e49def9d72bfef09a639ef3f7329083a0b8b151c"
    strings:
        $s0 = "response.Write(\"I Get it ! Password is <font color=red>\" & str & \"</font><BR>" ascii /* PEStudio Blacklist: strings */
        $s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 6KB and all of them
}
rule InjectionParameters {
    meta:
        description = "Chinese Hacktool Set - file InjectionParameters.vb"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "4f11aa5b3660c45e527606ee33de001f4994e1ea"
    strings:
        $s0 = "Public Shared ReadOnly Empty As New InjectionParameters(-1, \"\")" fullword ascii
        $s1 = "Public Class InjectionParameters" fullword ascii
    condition:
        filesize < 13KB and all of them
}
rule Txt_shell {
    meta:
        description = "Chinese Hacktool Set - Webshells - file shell.c"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-14"
        hash = "8342b634636ef8b3235db0600a63cc0ce1c06b62"
    strings:
        $s1 = "printf(\"Could not connect to remote shell!\\n\");" fullword ascii
        $s2 = "printf(\"Usage: %s <reflect ip> <port>\\n\", prog);" fullword ascii
        $s3 = "execl(shell,\"/bin/sh\",(char *)0);" fullword ascii
        $s4 = "char shell[]=\"/bin/sh\";" fullword ascii
        $s5 = "connect back door\\n\\n\");" fullword ascii
    condition:
        filesize < 2KB and 2 of them
}
rule Txt_ftp {
    meta:
        description = "Chinese Hacktool Set - Webshells - file ftp.txt"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-14"
        hash = "3495e6bcb5484e678ce4bae0bd1a420b7eb6ad1d"
    strings:
        $s1 = "';exec master.dbo.xp_cmdshell 'echo open " ascii
        $s2 = "';exec master.dbo.xp_cmdshell 'ftp -s:';" ascii
        $s3 = "';exec master.dbo.xp_cmdshell 'echo get lcx.exe" ascii
        $s4 = "';exec master.dbo.xp_cmdshell 'echo get php.exe" ascii
        $s5 = "';exec master.dbo.xp_cmdshell 'copy " ascii
        $s6 = "ftp -s:d:\\ftp.txt " fullword ascii
        $s7 = "echo bye>>d:\\ftp.txt " fullword ascii
    condition:
        filesize < 2KB and 2 of them
}
rule Txt_lcx {
    meta:
        description = "Chinese Hacktool Set - Webshells - file lcx.c"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-14"
        hash = "ddb3b6a5c5c22692de539ccb796ede214862befe"
    strings:
        $s1 = "printf(\"Usage:%s -m method [-h1 host1] -p1 port1 [-h2 host2] -p2 port2 [-v] [-l" ascii
        $s2 = "sprintf(tmpbuf2,\"\\r\\n########### reply from %s:%d ####################\\r\\n" ascii
        $s3 = "printf(\" 3: connect to HOST1:PORT1 and HOST2:PORT2\\r\\n\");" fullword ascii
        $s4 = "printf(\"got,ip:%s,port:%d\\r\\n\",inet_ntoa(client1.sin_addr),ntohs(client1.sin" ascii
        $s5 = "printf(\"[-] connect to host1 failed\\r\\n\");" fullword ascii
    condition:
        filesize < 25KB and 2 of them
}
rule CN_Tools_xbat {
    meta:
        description = "Chinese Hacktool Set - file xbat.vbs"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "a7005acda381a09803b860f04d4cae3fdb65d594"
    strings:
        $s0 = "ws.run \"srss.bat /start\",0 " fullword ascii 
        $s1 = "Set ws = Wscript.CreateObject(\"Wscript.Shell\")" fullword ascii 
    condition:
        uint16(0) == 0x6553 and filesize < 0KB and all of them
}
rule CN_Tools_srss {
    meta:
        description = "Chinese Hacktool Set - file srss.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "092ab0797947692a247fe80b100fb4df0f9c37a0"
    strings:
        $s0 = "srss.exe -idx 0 -ip"
        $s1 = "-port 21 -logfilter \"_USER ,_P" ascii 
    condition:
        filesize < 100 and all of them
}
rule dll_UnReg {
    meta:
        description = "Chinese Hacktool Set - file UnReg.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "d5e24ba86781c332d0c99dea62f42b14e893d17e"
    strings:
        $s0 = "regsvr32.exe /u C:\\windows\\system32\\PacketX.dll" fullword ascii 
        $s1 = "del /F /Q C:\\windows\\system32\\PacketX.dll" fullword ascii 
    condition:
        filesize < 1KB and 1 of them
}
rule dll_Reg {
    meta:
        description = "Chinese Hacktool Set - file Reg.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "cb8a92fe256a3e5b869f9564ecd1aa9c5c886e3f"
    strings:
        $s0 = "copy PacketX.dll C:\\windows\\system32\\PacketX.dll" fullword ascii 
        $s1 = "regsvr32.exe C:\\windows\\system32\\PacketX.dll" fullword ascii 
    condition:
        filesize < 1KB and all of them
}
rule sbin_squid {
    meta:
        description = "Chinese Hacktool Set - file squid.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "8b795a8085c3e6f3d764ebcfe6d59e26fdb91969"
    strings:
        $s0 = "del /s /f /q" fullword ascii
        $s1 = "squid.exe -z" fullword ascii
        $s2 = "net start Squid" fullword ascii 
        $s3 = "net stop Squid" fullword ascii 
    condition:
        filesize < 1KB and all of them
}
rule sql1433_creck {
    meta:
        description = "Chinese Hacktool Set - file creck.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "189c11a3b268789a3fbcfac3bd4e03cbfde87b1d"
    strings:
        $s0 = "start anhao3.exe -i S.txt -p  pass3.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii 
        $s1 = "start anhao1.exe -i S.txt -p  pass1.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii 
        $s2 = "start anhao2.exe -i S.txt -p  pass2.txt -o anhao.txt -l Them.txt -t 1000" fullword ascii 
    condition:
        uint16(0) == 0x7473 and filesize < 1KB and 1 of them
}
rule sql1433_Start {
    meta:
        description = "Chinese Hacktool Set - file Start.bat"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "bd4be10f4c3a982647b2da1a8fb2e19de34eaf01"
    strings:
        $s1 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii 
        $s2 = "start creck.bat" fullword ascii 
        $s3 = "del s1.txt" fullword ascii
        $s4 = "del Result.txt" fullword ascii
        $s5 = "del s.TXT" fullword ascii
        $s6 = "mode con cols=48 lines=20" fullword ascii
    condition:
        filesize < 1KB and 2 of them
}